Sun. Sep 25th, 2022
    en flag
    nl flag
    et flag
    fi flag
    fr flag
    de flag
    he flag
    ja flag
    lv flag
    pl flag
    pt flag
    es flag
    uk flag

    Content Assessment: The Tip of the Iceberg? New ENISA Report on the Threat Landscape for Ransomware Attacks

    Information - 95%
    Insight - 96%
    Relevance - 92%
    Objectivity - 93%
    Authority - 94%



    A short percentage-based assessment of the qualitative benefit of the recently released report from the European Union Agency for Cybersecurity (ENISA) on the threat landscape for ransomware.

    Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.

    To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.

    Background Note: The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT products, services, and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge sharing, capacity building, and awareness-raising, the Agency works together with its key stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure. Focused on knowledge sharing and awareness-raising, this new report presents the threat landscape for ransomware attacks based on an analysis of 623 ransomware incidents across the EU, UK, and US. The report may be beneficial for cybersecurity, information governance, and legal discovery professionals seeking to better understand and address cybersecurity threats.

    Press Release and Report*

    ENISA Threat Landscape for Ransomware Attacks

    European Union Agency for Cybersecurity (ENISA)

    Press Release

    Ransomware: Publicly Reported Incidents Are Only The Tip Of The Iceberg

    As one of the most devastating types of cybersecurity attacks over the last decade, ransomware has grown to impact organizations of all sizes across the globe.

    What is ransomware?

    Ransomware is a type of cybersecurity attack that allows threat actors to take control of the assets of a target and demand ransom for the availability and confidentiality of these assets.

    What the report covers

    This threat landscape report analyzed a total of 623 ransomware incidents across the EU, the United Kingdom and the United States for a reporting period from May 2021 to June 2022. The data was gathered from governments’ and security companies’ reports, from the press, verified blogs and in some cases using related sources from the dark web.

    The findings and what they tell us

    Between May 2021 and June 2022 about 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees’ personal data.

    At least 47 unique ransomware threat actors were found.

    For 94.2% of incidents, we do not know whether the company paid the ransom or not. However, when the negotiation fails, the attackers usually expose and make the data available on their webpages. This is what happens in general and is a reality for 37,88% of incidents.

    We can therefore conclude that the remaining 62.12% of companies either came to an agreement with the attackers or found another solution.

    The study also shows that companies of every size and from all sectors are affected.

    In reality, the study reveals that the total number of ransomware attacks is much larger. At present this total is impossible to capture since too many organizations still do not make their incidents public or do not report on them to the relevant authorities.

    Information about the disclosed incidents is also quite limited since in most cases the affected organizations are unaware of how threat actors managed to get initial access. In the end, organizations might deal with the issue internally (e.g. decide to pay the ransom) to avoid negative publicity and ensure business continuity. However, such an approach does not help fight the cause – on the contrary, it encourages the phenomenon instead, fuelling the ransomware business model in the process.

    It is in the context of such challenges that ENISA is exploring ways to improve this reporting of incidents. The revised Network and Information Security Directive (NIS 2) is expected to change the way cybersecurity incidents are notified. The new provisions will aim to support a better mapping and understanding of the relevant incidents.

    What can Ransomware do: the lifecycle and the business models

    According to the analysis of the report, ransomware attacks can target assets in four different ways: the attack can either Lock, Encrypt, Delete or Steal (LEDS) the target’s assets. Targeted assets can be anything such as documents or tools from files, databases, web services, content management systems, screens, master boot records (MBR), master file tables (MFT), etc.

    The life cycle of ransomware remained unchanged until around 2018 when ransomware started to add more functionality and when blackmailing techniques matured. We can identify five stages of a ransomware attack: initial access, execution, action on objectives, blackmail, and ransom negotiation. These stages do not follow a strict sequential path.

    5 different ransomware business models emerged from the study:

    1. A model focused around individual attackers;
    2. A model focused around group threat actors;
    3. A ransomware-as-a-service model;
    4. A data brokerage model; and,
    5. A model aimed mostly at achieving notoriety as key for a successful ransomware business (ransomware operators need to maintain a certain reputation of notoriety, otherwise, victims will not pay the ransom).

    The report recommends the following:

    Strengthen your resilience against ransomware by taking actions such as:

    • keep an updated backup of your business files & personal data;
    • keep this backup isolated from the network;
    • apply the 3-2-1 rule of backup: 3 copies, 2 different storage media, 1 copy offsite;
    • run security software designed to detect most ransomware in your endpoint devices;
    • restrict administrative privileges; etc.

    If you fall victim of a ransomware attack: 

    • contact the national cybersecurity authorities or law enforcement for guidance;
    • do not pay the ransom and do not negotiate with the threat actors;
    • quarantine the affected system;
    • visit the No More Ransom Project, a Europol initiative; etc.

    It is strongly recommended to share your ransomware incident information with your authorities to be able to alert potential victims, identify threat actors, support the security research and develop means to prevent such attacks or better respond to them.

    Find out more in the report: ENISA Threat Landscape for Ransomware Attacks

    ENISA’s work on the Cybersecurity Threat Landscape

    Ransomware was already classified as a prime threat in ENISA’s Annual Threat Landscape of 2021 and had consistently been considered among the prime threats in previous ETL editions.

    This ransomware threat landscape report was developed on the basis of the recently published ENISA Threat Landscape Methodology — ENISA ( The new methodology aims to provide a consistent and trusted baseline for the transparent delivery of horizontal, thematic and sectorial cybersecurity threat landscapes using a systematic and transparent process for data collection and analysis.

    ENISA is constantly looking for ways to gather feedback and to continually improve and update the methodology applied to the performance of cybersecurity threat landscapes. Please feel free to reach out to with suggestions.

    Target audience:

    • European Commission and European Member States policy makers (including but not limited to European Union institutions (EUIs);
    • EU institutions, bodies and agencies (EUIBAs);
    • Cybersecurity experts, industry, vendors, solution providers, SMEs;
    • Member States and national authorities (e.g. cybersecurity authorities);

    Further information:

    Read the original announcement.

    Complete Report: ENISA Threat Landscape for Ransomware Attacks (PDF) – Mouseover to Scroll

    ENISA Threat Landscape for Ransomware Attacks

    Read the original report.

    *Shared with permission.

    Additional Reading

    Source: ComplexDiscovery


    Have a Request?

    If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

    ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

    ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.

    Leaning Forward? The CISA 2023-2025 Strategic Plan

    The purpose of the CISA Strategic Plan is to communicate the...

    Continuous Risk Improvement? Q3 Cyber Round-Up From Cowbell Cyber

    According to Manu Singh, director of risk engineering at Cowbell, "Every...

    A Comprehensive Cyber Discovery Resource? The DoD Cybersecurity Policy Chart from CSIAC

    The Cyber Security and Information Systems Information Analysis Center (CSIAC) is...

    Rapidly Evolving Cyber Insurance? Q2 Cyber Round-Up From Cowbell Cyber

    According to Isabelle Dumont, SVP of Marketing and Technology Partners at...

    Revealing Response? Nuix Responds to ASX Request for Information

    The following investor news update from Nuix shares a written response...

    Revealing Reports? Nuix Notes Press Speculation

    According to a September 9, 2022 market release from Nuix, the...

    Regards to Broadway? HaystackID® Acquires Business Intelligence Associates

    According to HaystackID CEO Hal Brooks, “BIA is a leader in...

    One Large Software and Cloud Business? OpenText to Acquire Micro Focus

    According to OpenText CEO & CTO Mark J. Barrenechea, “We are...

    On the Move? 2022 eDiscovery Market Kinetics: Five Areas of Interest

    Recently ComplexDiscovery was provided an opportunity to share with the eDiscovery...

    Trusting the Process? 2021 eDiscovery Processing Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    The Year in Review? 2021 eDiscovery Review Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    A 2021 Look at eDiscovery Collection: Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    Five Great Reads on Cyber, Data, and Legal Discovery for September 2022

    From privacy legislation and special masters to acquisitions and investigations, the...

    Five Great Reads on Cyber, Data, and Legal Discovery for August 2022

    From AI and Big Data challenges to intriguing financial and investment...

    Five Great Reads on Cyber, Data, and Legal Discovery for July 2022

    From lurking business undercurrents to captivating deepfake developments, the July 2022...

    Five Great Reads on Cyber, Data, and Legal Discovery for June 2022

    From eDiscovery ecosystem players and pricing to data breach investigations and...

    Cooler Temperatures? Fall 2022 eDiscovery Business Confidence Survey Results

    Since January 2016, 2,874 individual responses to twenty-eight quarterly eDiscovery Business...

    Inflection or Deflection? An Aggregate Overview of Eight Semi-Annual eDiscovery Pricing Surveys

    Initiated in the winter of 2019 and conducted eight times with...

    Changing Currents? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2022

    In the summer of 2022, 54.8% of survey respondents felt that...

    Challenging Variants? Issues Impacting eDiscovery Business Performance: A Summer 2022 Overview

    In the summer of 2022, 28.8% of respondents viewed increasing types...

    Nuclear Options? Ukraine Conflict Assessments in Maps (September 17 – 21, 2022)

    According to a recent update from the Institute for the Study...

    Mass Graves and Torture Chambers? Ukraine Conflict Assessments in Maps (September 12 – 16, 2022)

    According to a recent update from the Institute for the Study...

    On The Run? Ukraine Conflict Assessments in Maps (September 7 – 11, 2022)

    According to a recent update from the Institute for the Study...

    Tangible Degradation? Ukraine Conflict Assessments in Maps (September 2 – 6, 2022)

    According to a recent update from the Institute for the Study...